41

Possible duplicate, but couldn't find any clear answers.

Dependabot cannot update nth-check to a non-vulnerable version The latest possible version that can be installed is 1.0.2 because of the following >conflicting dependency:

react-scripts@5.0.0 requires nth-check@^1.0.2 via a transitive dependency on css-select@2.1.0

just upgraded to react-scripts@5.0.0 from 4.0.0.

Abdul Mahamaliyev
  • 750
  • 1
  • 8
  • 20
  • If you had written *I just upgraded to react-scripts@5.0.0 from 4.0.0.* in a self-answer, everything would have been perfectly clear to me. As you've written it now, I cannot get my head around whether *just upgraded to react-scripts@5.0.0 from 4.0.0* is part of your question or not. Am I right to assume that it's ***not***? – Henke Mar 30 '23 at 16:32
  • Or are you saying *I also upgraded to react-scripts@5.0.0 from 4.0.0, **but it didn't help**.* ?? – Sorry for saying this, but your "question" is extremely *confusing*. – Henke Mar 30 '23 at 16:52
  • And you haven't even explained how you got the message *Inefficient Regular Expression Complexity in nth-check*. Where does it come from? Did you run `npm audit [fix]`? What did you do? You're not explaining much to help the reader. Nor did you explain where GitHub comes into all of this. What Git command (if any) did you run? I would have wanted enough information to make this a [minimal, complete, and verifiable example](https://stackoverflow.com/help/minimal-reproducible-example). – Henke Mar 31 '23 at 09:14

11 Answers11

63

As Dan Abramov explains in this issue, it is (very likely) a false alarm and can be safely dismissed.

More specifically, if you are using CRA and nth-check is referenced only from it, it is not an issue, because CRA is a build tool and the vulnerable code will never get into the resulting application bundle and thus will never be called by client code.

You can verify this by moving "react-scripts" into "devDependencies" in package.json and running npm audit --production.

kidney
  • 2,663
  • 17
  • 23
  • in my case `npm audit --production` still report the same vulnerability even if "react-scripts" is moved into "devDependencies" – Chris Apr 03 '22 at 15:29
  • 1
    In that case I would suspect you indeed are using a vulnerable version of the reported library. You can check `package-lock.json` to find where the relevant library is depended on. – kidney Apr 04 '22 at 11:53
  • @Chris did you clear your node_modules and reinstall before running the audit again? – dzny Apr 08 '22 at 14:41
  • yes removed node-module and yarn.lock file but audit still report nth-check vulnerability (only referenced by react-scripts). I ended up to add "resolutions": { "nth-check": "^2.0.1" } in my package.json file to fix it. CRA is still working after to fix. – Chris Apr 09 '22 at 15:10
  • 3
    I tried this approach, but GitHub's Dependabot is still flagging this as a problem even though my `npm audit --production` says `found 0 vulnerabilities`. – Ryan Aug 31 '22 at 20:23
  • Working with npm version 8.15.0, I got a warning in the console after running `npm audit --production`. To avoid that warning, you can run `npm audit --omit dev` instead. – fjplaurr Feb 14 '23 at 17:03
25

A few points before telling you the workaround:

  1. It seems that the react-scripts vulnerability is a false alarm (as discussed here). Dan Abramov also wrote a fascinating in-depth blog post about how npm audit works and how it's somehow broken especially for front-end tooling by design.

  2. Since react-scripts is essentially a build tool, even if the vulnerability was indeed genuine, it would be considered only a development issue since it'll be stripped from the production bundle anyway.

So if you do nothing about this so-called "vulnerability", nothing bad gonna happen and it's perfectly fine. But if the red alarm that a vulnerability exists is annoying you either aesthetically or is disrupting your CI/CD then read on.

Workaround:

The problem seems to be starting with the lib @svgr/webpack 4.0.0 - 5.0.0.

If you are using node version >= 16, you can install @svgr/webpack by yourself, in my case I installed the version: ^6.2.1 as devDependency.

enter image description here

After that, you should create a overrides (or resolutions if you are using yarn) section in your package.json and include the line: "@svgr/webpack": "$@svgr/webpack".

enter image description here

And last, you must remove your node_modules folder and your package-lock.json, and execute npm install.

Workaround credit.

Mahdi Ghajary
  • 2,717
  • 15
  • 20
  • I got `warning Resolution field "$@svgr/webpack" has an invalid version entry and may be ignored` during `yarn install`. – Ryan Aug 31 '22 at 20:27
  • The correct entry in `"overrides"` and `"resolutions"` would be `"@svgr/webpack": "^6.2.1"`. Make this change and then run `yarn audit` or `npm audit` – Uzair Sep 03 '22 at 11:48
  • 1
    `"overrides": { "react-scripts": { "@svgr/webpack": "^6.5.1" } }` This would be a better approch – Pramuditha Chamikara Nov 05 '22 at 15:33
  • Also installed version 6.5.1 (see versions [here](https://github.com/gregberge/svgr/releases)), 7.0.0 is currently latest. And used the code snippet @PramudithaChamikara wrote – Dror Bar Apr 09 '23 at 07:23
  • @Mahdi Ghajary Thank you for your proposal, the warning disappear. Can you explain more what the line "@svgr/webpack": "$@svgr/webpack" does ? Thank you – jozinho22 Jun 11 '23 at 13:55
8

I confirm it still works as of react-scripts 5.0.1 that you can move your version of react scripts from "dependencies" to "devDependencies" in package.json like this:

 "devDependencies": {
    "react-scripts": "^5.0.1"
  },

"devDependencies are packages that are consumed by requiring them in files or run as binaries, during the development phase. These are packages that are only necessary during development and not necessary for the production build."

Run "npm audit --production" to show that you do not need react-scripts at production.

Of course, if you still run into vulnerabilities, another package might have caused the vulnerability.

https://dev.to/moimikey/demystifying-devdependencies-and-dependencies-5ege

richard
  • 99
  • 1
7

Open package.json. You will find this:

"dependencies": {
    "react": "^17.0.2",
    "react-dom": "^17.0.2",
    "react-scripts": "4.0.3"
  }

Take react-scripts and move it to devDependencies (if you don't have it, create it):

  "dependencies": {
    "react": "^17.0.2",
    "react-dom": "^17.0.2"
  },
  "devDependencies": {
    "react-scripts": "4.0.3"
  },

Then, ensure you run "npm audit --production"

This will fix your warnings.

mc-user
  • 1,769
  • 4
  • 14
  • 25
Vedansh
  • 71
  • 1
  • 1
2

I also am on react-scripts@^5.0.0

So, I would personally recommend to use yarn first. But everybody has their own preferences! to do so, can type

npm install --global yarn

after that you could remove your package-lock file and run following command in the folder of your app of course

yarn

(such a surprise.) This will generate a yarn.lock file. Note that you should avoid using yarn and npm at the same time !

In that very same yarn.lock file, you will have to search for nth-check string! In a brand new react app (so far), you should find 8 occurrences of that string. This string will be set next to a package version. That's what you want to change.

In my case, I have for example

nth-check@^1.0.2: //so far. This version can be different for an older projet.
  version "1.0.2"
  resolved "https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz"

You want top change all those wrong versions. It should look like this :

nth-check@^2.0.1:
  version "2.0.1"
  resolved "https://registry.npmjs.org/nth-check/-/nth-check-2.0.1.tgz"

You will have to change a couple versions though. Not just one. I dit it (-6 times I believe. If you save the file, launche a simple

yarn

command followed by a

yarn audit

It SHOULD fix one of your problems!

Hope this was helpfull. Cheers!

LoveriusB
  • 418
  • 4
  • 11
1

If any of the above mentioned methods didn't work, then try this :

First check if the vulnerability is used in your code using the

npm-check

Now if the vulnerability module is not used in the code, then head-over to the 'package-lock.json' and search for the vulnerability path like

node_modules/svgo/node_modules/nth-check

and remove this dependency in the json file

Then run

npm audit

This will display

found 0 vulnerabilities

This mostly occurs when used

npx create-react-app "app"

and tried to install a module " React-Scripts"

DialFrost
  • 1,610
  • 1
  • 8
  • 28
Jayanth
  • 27
  • 1
  • 5
  • Try this after trying all the methods to fix the vulnerabilities. – Jayanth Aug 15 '22 at 07:54
  • 1
    I tried using this method. However, on running ```npm install``` it creates the nth-check dependency back in package-lock.json – Sumit Ghewade Aug 19 '22 at 16:01
  • That's how it works. package-lock. json is automatically generated for any operations where npm modifies either the node_modules tree, or package. json. – Jayanth Aug 22 '22 at 07:12
0

I had to change a particular dependency and its child dependency version to 2.0.1 , in my case dependency which had the problem was "css-select@npm:^2.0.0" ,

Just have search for nth-check in yarn.lock file and you will find the nth-check dependency as child dependency inside "css-select@npm:^2.0.0" there you need to change the version form "1.0.2" to "2.0.1" it would looks something like bellow

css-select@npm:^2.0.0":
  version: 2.1.0
  resolution: "css-select@npm:2.1.0"
  dependencies:
    boolbase: ^1.0.0
    css-what: ^3.2.1
    domutils: ^1.7.0
    nth-check: ^2.0.1 // this is where you need to make change
  checksum: 0c4099910f2411e2a9103cf92ea6a4ad738b57da75bcf73d39ef2c14a00ef36..
  languageName: node
  linkType: hard

Any dependency still using this old version of nth check as child dependency have to updated and that will fix the issue

Divakar R
  • 773
  • 1
  • 8
  • 36
0

In the package-lock.json, make the updates for all of the nth-check fields based on the version in GitHub Dependabot alert:

For example, for >=2.0.1, update fileds (version, resolved and nth-check) as shown below:

"node_modules/svgo/node_modules/nth-check": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/nth-check/-/nth-check-2.0.1.tgz", // just update version part (2.0.1)
      ...
}

"node_modules/svgo/node_modules/css-what": {
@@ -23901,7 +23901,7 @@
        ...
        "nth-check": ">=2.0.1"

After this, run npm audit --production to verify.

Murat Yıldız
  • 11,299
  • 6
  • 63
  • 63
0

To identify nth-check outdated dependencies, please run the command:

npm list nth-check

then, you will see in your terminal something like:

`--  nth-check@2.1.1

`--  nth-check@1.0.2

here you can see that some dependecies are updated and others outdated. Next, in your editor you could search in all your files for "nth-check" and you will see wich files have version "nth-check@1.0.2" for example.

then you replace manually these dependecies with last version that you see, for example:

nth-check@2.1.1 instead nth-check@1.02

then in your terminal tray again :

npm i

and this vulnerabilty should dissapear

Vick Faby
  • 1
0

https://github.com/facebook/create-react-app/issues/4342

check this link, clearly you can see that react-scripts is not devDependency. react-scripts package includes polyfills that are used in production. so the answer that you have marked as right is not right.

Salmanul faris M P
  • 21
  • 3
  • While this link may answer the question, it is better to include the essential parts of the answer here and provide the link for reference. Link-only answers can become invalid if the linked page changes. - [From Review](/review/late-answers/34671853) – Harrison Jul 16 '23 at 09:12
-3

in your CMD and check " npm -g list "

and "npm install -g create-react-app"

after that "npx create-react-app ./"

omar mahjoubi
  • 1
  • 1
    [***You absolutely should not be installing `react-scripts` globally.***](https://stackoverflow.com/a/75877180) – Henke Mar 30 '23 at 16:48